Burp Suite User Forum

Create new post

Support CWE ID in reports

Jose | Last updated: Jun 30, 2016 12:36PM UTC

Like other professionals, we use CWE for classify vulnerabilities. In our case we try to use several tools and correlate vulnerabilities in this way. Thank to that we can create custom reports using our description of vulnerabilities, and if we need to deliver reports in other language, we can keep our translations.

Liam, PortSwigger Agent | Last updated: Jun 30, 2016 01:04PM UTC

Hi Jose Thanks for your message. Burp doesn't currently classify its Scanner issues relative to the CWE standards. We might add this feature in future (and mappings to other standards too) but we can't currently promise an ETA for this, sorry. You can view all of Burp's issue types here – https://portswigger.net/KnowledgeBase/Issues/. Please let us know if you need any further assistance.

Burp User | Last updated: Nov 23, 2018 11:42AM UTC

May i know whether the burp vulnerabilities are classified into any security standards (OWASP/CWE) ? Also please confirm whether the burp scanner covers all the OWASP top 10 2017 vulnerabilities ?

Liam, PortSwigger Agent | Last updated: Nov 23, 2018 11:52AM UTC

Vivek, Burp classifies issues with CWE where appropriate: - https://portswigger.net/kb/issues/00100100_os-command-injection Yes, Burp can test for all of the vulnerability types listed in the 2017 OWASP top ten. It's worth noting that A10 (Insufficient logging and monitoring) isn't really a vulnerability type, although you could use Burp to test whether attacks trigger your monitoring system.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.